Yahoo Triples Estimate of Breached Accounts to 3 Billion

A massive data breach at Yahoo in 2013 was far more extensive than previously disclosed, affecting all of its 3 billion user accounts, new parent company Verizon Communications Inc. said on Tuesday.

The figure, which Verizon said was based on new information, is three times the 1 billion accounts Yahoo said were affected when it first disclosed the breach in December 2016. The new disclosure, four months after Verizon completed its acquisition of Yahoo, shows that executives are still coming to grips with the extent of the security problem in what was already the largest hacking incident in history by number of user accounts.

Continue Reading Below

A spokesman for Oath, the Verizon unit that now includes Yahoo, said the company determined within the past week that the break-in was much worse than thought, after it received new information from outside the company. He declined to elaborate on that information. Compromised customer information included usernames, passwords, and in some cases telephone numbers and dates of birth, the spokesman said.

Several other major cyberattacks recently have focused attention on the vulnerability of big companies that possess enormous amounts of vital personal information about their customers.

On Tuesday, lawmakers slammed former Equifax Inc. Chief Executive Richard Smith for his company's handling of a data breach that affected more than 140 million consumers. The Securities and Exchange Commission and the accounting firm Deloitte also disclosed major hacks in recent weeks.

The number of individuals affected by the 2013 attack is smaller than 3 billion, because some people have multiple accounts across Yahoo's sites, including email, fantasy sports, Tumblr and Flickr, the spokesman said. He said Oath will immediately begin notifying by email users who own the additional roughly 2 billion accounts. That is expected to take several days, he said.

Victims won't need to take additional action, however, because Yahoo already forced all account holders to reset their passwords after the December 2016 disclosure.

Advertisement

Verizon's chief information security officer, Chandra McMahon, said in a statement that the company is "committed to the highest standards of accountability and transparency" and that Yahoo's cybersecurity team was benefiting from Verizon's "experience and resources."

The disclosure is the latest chapter in a long-running saga that tattered the reputation of a former Silicon Valley icon and continues to spawn problems for its new owner. It began in September 2016, two months after Verizon agreed to acquire the fallen internet pioneer, with Yahoo first disclosing a separate attack that took place in 2014 and affected 500 million accounts. Yahoo later revealed the larger 2013 incident.

In March, the U.S. Justice Department indicted four men in the 2014 hack, including two Russian intelligence officers who it said directed it. Authorities said the two paid hackers to steal information so the Russians could spy on diplomats, journalists and company officials.

A Russian official at the time said the charges amounted to "the next round of raising the theme of 'Russian hackers' in the domestic political squabbles in the U.S."

Sen. John Thune (R-S.D.) said Tuesday the Senate Commerce Committee would call witnesses from Yahoo and Equifax to testify later this month about the breaches.

"After a breach, affected consumers expect organizations that failed to safeguard sensitive information to be forthcoming," he said in a statement.

Avivah Litan, an analyst with industry research firm Gartner Inc., said the Yahoo incidents illustrate the growing role of sophisticated hackers often backed by governments in the ongoing plague of data breaches.

She said it is surprising that Yahoo didn't uncover the full extent of the issue during its 2016 investigation. She said it suggested that the company didn't have effective records for keeping track of access to its systems, known as audit logs. "Usually an audit trail will tell you what records and what databases were accessed," she said.

The breaches already have been costly for Yahoo, and lawsuits and a regulatory investigation could add to that. Verizon agreed to buy it in mid-2016 for $4.83 billion, but the deal was delayed after Yahoo's disclosure of the two large hacks, plus a third incident in which hackers forged digital files, called cookies, that could have been used to access 32 million user accounts.

Verizon knocked $350 million off the deal price as a result of those breaches, ultimately paying $4.48 billion. When renegotiating the price, executives at Verizon built into their assumptions that Yahoo's entire user base had been breached, but didn't find the evidence until now, a person familiar with the matter said.

The deal closed in June 2017, and Verizon gave up its right to sue the entity that sold Yahoo, now called Altaba Inc., over any allegations that it had covered up the hacks. Yahoo now operates alongside AOL in Verizon's Oath subsidiary, which is seeking to build a digital media and advertising business.

In addition, Yahoo's former Chief Executive, Marissa Mayer, gave up her 2016 cash bonus following the incident and the company's top lawyer, Ronald Bell, resigned after a board review found problems with the company's handling of this and the other breaches.

Ms. Mayer couldn't immediately be reached. In a statement at the time, she said she learned that a "large" amount of user data was stolen in September 2016. Mr. Bell didn't immediately respond to a request for comment.

About 43 consumer class-action lawsuits have been filed against the company relating to these security incidents, Yahoo said in a May filing with the SEC. The SEC itself has opened an investigation into whether Yahoo should have reported the two incidents sooner to investors.

The Oath spokesman said the new disclosure won't affect the terms of Verizon's acquisition, in which it agreed to evenly split with Altaba costs and liabilities related to any lawsuits from consumers or partners about the breaches. Altaba retains liability for the SEC investigation and any shareholder lawsuits.

The status of the SEC investigation is unclear. The SEC issued guidance in 2011 that required companies to disclose material information about cybersecurity issues, and legal experts have said the agency has been looking for a case to clarify what type of conduct would warrant an enforcement action. The SEC on Tuesday declined to comment.

In the May SEC filing, Yahoo also said it is "cooperating with federal, state, and foreign governmental officials and agencies seeking information and/or documents" about the incident, including the Federal Trade Commission, the SEC, the U.S. Attorney's Office for the Southern District of New York, and two State Attorneys General.

Bob Lord, who oversaw cybersecurity at Yahoo, left the company last month. He didn't immediately respond to a request for comment. Chris Nims, who previously worked at AOL, now oversees cybersecurity for all of Oath, and works closely with Verizon's Ms. McMahon.

Write to Robert McMillan at Robert.Mcmillan@wsj.com and Ryan Knutson at ryan.knutson@wsj.com